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Abstract — Formal analysis techniques are widely used today 
in order to verify and analyze communication protocols. In this 
work, we launch a quantitative verification analysis for the low- 
cost Radio Frequency Identification (RFID) protocol proposed 
by Song and Mitchell. The analysis exploits a Discrete-Time 
Markov Chain (DTMC) using the well-known PRISM model 
checker. We have managed to represent up to 100 RFID tags 
communicating with a reader and quantify each RFID session 
according to the protocol's computation and transmission cost 
requirements. As a consequence, not only does the proposed 
analysis provide quantitative verification results, but also it 
constitutes a methodology for RFID designers who want to 
validate their products under specific cost requirements. 

Index Terms — Discrete Time Markov Chains; Probabilistic 
Model Checking; RFID; Quantitative Analysis. 

I. Introduction 

Formal analysis techniques, such as probabilistic model 
checking, are widely used today in order to analyze and verify 
communication protocols [31, [6|. In bibliography, security 
protocols being published with flaws H], ifTol . ifTTl constitute 
examples that empower the necessity of using formal methods 
prior to the design and implementation of a communication 
protocol. At the same time, given that security is a fundamental 
issue in communication protocols Q, ||9l, quantitative formal 
analysis can be applied to obtain useful results regarding both 
the validation of their security properties and the cost to 
support them O, lfT2l . This is important, since the tradeoff 
of gaining in security is losing in terms of computation 
cost. Therefore, cost should not been overlooked throughout 
quantitative analysis, since it can be a prohibited design param- 
eter, especially for protocols executed by low-cost hardware 
devices, such as RFID tags. 

RFID tags are used in industry for supply-chain manage- 
ment, payment systems and inventory monitoring [131 and 
constitute one of the three (3) basic entities of an RFID 
system along with RFID readers and a server. One of the great 
challenges in the field of RFID is the integration of secure 
tag identification with low-cost computation and memory 
expenditure (14]. This requirement forces the tag manufac- 
turers to look for lightweight authentication solutions which 
preserve security guaranties of an RFID protocol session. In 
a real-world scenario, RFID protocol operates in a multi- 



parallel session environment where a large number of sessions 
between tags and reader will be established concurrently. The 
latter rises up questions about the overall computation and 
transmission cost for a reader-server to identify a group of 
tags. 

In this work, we propose the use of probabilistic model 
checking [7] to verify the Song and Mitchell's RFID authen- 
tication protocol (14). We develop a Discrete-Time Markov 
Chain (DTMC) model [5| which represents a multiple tag 
RFID scheme where tags' authentications are validated. In 
the PRISM framework, the aforementioned DTMC model is 
augmented with computation and transmission cost require- 
ments derived by lfT4l . We produce quantitative results for 
computation cost of server and tags and for transmission cost 
regarding up to 100 simultaneous parallel sessions. We also 
provide server processing time and tags' time delay results. To 
the best of our knowledge, this is the first research effort that 
performs a quantitative analysis of an RFID protocol using 
probabilistic model checking. 

II. Song-Mitchell's RFID Protocol 

The Song and Mitchell's protocol is a well-known authen- 
tication protocol for low-cost RFID tags [fT4|. It comprises 
three (3) basic entities, namely, a group of RFID tags T,;, an 
RFID reader R that radio-communicates with T, and a back- 
end server S that contains the record identification database for 
each tag T^, i.e. [{ui,ti)new, {ui,ti)oid, Di\. A single protocol 
session consists of six (6) steps, as shown in Fig.[T] According 
to the notation provided in Table U these steps are summarized 
as follows: 

1) Reader R generates a random value ri G 5i[0,l]' and 
sends it to T^. 

2) Once Ti receives ri, it generates a random value r2 G 
sft[0, 1]', computes Mi=U® r-i and M2 = /*, (ri © r-i) 
and sends them to the reader R. 

3) R forwards M\, M2 and the random bit-string ri to the 
server S. 

4) S looks into its tag identity pairs database - both new 
and old - for a ti such that r2 <— A'h © ti and M2 = 
fti (''I ©''2) = If no suitable ti is found, S sends an 
error message to R and stops the session. Otherwise, Ti 
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Fig. 1. The analyzed Song-Mitchell's RFID authentication protocol 



has been authenticated by 5* which, in turn, computes 
M3 = Mi © (r2 ^ 1/2) and sends it to R along with 
Di. After M3 transmission, S updates its tag database 
as follows: sets Ui(^oid)^ ti(oid) to Ui and ti, respectively, 

and Mi(„e«,), ti{new) to {ui < //4)©(ti > l/4)®ri®r2 
and h{ui(^new)), respectively. 

5) R forwards to T,. 

6) Upon receipt of M3, Ti computes Ui <— M3 © (r2 ^ 
Z/2) and checks if h{ui) = ti. If the check is true, then 
S has been authenticated by Ti and Ti updates ti to 
h{{u, < Z/4) © {t, > ^4) © ri © ra). Otherwise, 
remains the same. 

In the above communication, the channel between the server 
5' and the reader R is secure, while R and T; communicate 
over an insecure channel. The proposed model considers two 
different groups of tags, namely the groups Ta and Tb, with 
n — 1, . . . , 50 tags Ti per group. Given this range of n, we 
define N = 2, . . . , 100 to be the upper bound of tags that the 
server S can authenticate concurrently. 

III. RFID MODELING Using DTMC 

The proposed analysis is based on probabilistic model 
checking principles. The RFID protocol to be analyzed is 
modeled using DTMCs in the PRISM model checking frame- 



TABLE I 
Table of Notation 



Symbol 


Description 


T={Tl,...,Tn} 


Group of tags T, i = I, . . . ,n 


n 


Number of tags, n = 1 , . . . , 50 


R 


RFID reader 


S 


Back-end server 


h 


Hash function 


fk 


Keyed hash function 


I 


The bit-length of a tag identifier 


Di 


Information associated with tag Ti 


Ui 


An i-bit string assigned to Ti 


ti 


Ti's (-bit Identifier, ti = h{ui) 


^new 


The updated value of x 




The most recent value of x 


r 


Random string of I bits 


e 


XOR operator 



work. The proposed model is augmented with computation 
and transmission cost requirements derived by If4l . The reader 
may obtain the developed RFID-DTMC model from f2\. 

In PRISM, a probabilistic model is defined as a set of m 
modules , AID = {MDi, . . . , MD„,}. Each MDi module 
is defined as a pair of {Vari,Ci), where Vari is a set of 
integer-valued local variables with finite range and d is a set 
of commands. The set Vari defines the local state space of 
module MDi and in turn Var denotes the set of all local 



variables of the model, i.e., Var — IJm ^ Vari. Furthermore, 
each variable v e Var has an initial value v. 

Our DTMC model includes m — A modules, namely, MDs 
representing both the server S and the reader R, MDta 
and MDtb for groups of tags Ta and Tb and MDMedium 
for the communication medium between MDs, MDt^ and 
MDtb- The behavior of a module MDi is defined by the 
set of commands d. Each command c £ d takes the form 
of (g, (Ai, wi), . . . , (A„^, u„J), comprising a guard g and a 
set of pairs {Xj,Uj), where Xj G 5R>o and Uj is an update 
for each I < j < Uc- A guard g is a predicate over the set 
of all local variables Var and each Uj update corresponds 
to a possible transition of module MDi. If Vari contains rii 
local variables, {vi, . . . ,Vn-}, then an update takes the form 
{v'l = expri) n ... n {v!^. = expr„.), where exprj is an 
expression in terms of the variables in Var. Information of the 
model may be omitted if an update Ui does not affect some 
variables Vari. In DTMC model specification, the constants 
Xj determines the probability attached to transitions (i.e., the 
probability attached to transition that the update takes place), 
thus, Xj e (0, 1] for l<j<nc and Y^'-^i-^ Xj = 1 [4J. 

More specifically, a DTMC model is defined as a tuple 
{S, s, P, L), where: 

• S* is a finite set of states 

• s G 5 is the initial state 

• P : S X S ^ 5R>o is the transition probability matrix 

such that J2s'GS -^i^^ — 1 '^^'^ 
» L : S 2"^^ is a labeling function mapping states to sets 
of atomic propositions from a set AP with the properties 
of interest 

Terminating states are modeled by a single transition going 
back to the same state with probability 1. DTMCs are further 
described in fSl. In order to attach RFID cost parameters 
into the developed DTMC model, we define reward modules 
MDjic and MDrt which correspond to the RFID computa- 
tion and transmission requirements, respectively fT?^. 

Results will be acquired by defining the appropriate for- 
mulae properties according to the Probabilistic Computational 
Tree Logic (PCTL) |8|. The syntax of PCTL is as follows: 

(j) ::— true \ a \ (f> A 4> \ -^(f) \ Pt^p[ip] 

::= X (j) \ (j) U-*' (!) \ (j) U (j) 

where a is an atomic proposition, operator IXG [<, <, >, >], 
p G [0, 1] and t G K>o. 

For a DTMC (5, s, P, L), a reward structure is a tuple (g, i), 
where: 

• g : S ^ 5R>o is a vector of state rewards, and 

• t : S* X S* — !> 5R>o is a matrix of transition rewards. 
DTMC allows the specification of four distinct types of 
rewards R: 

• Instantaneous R^r[^^*]' the expected value of the reward 
at time-instant t is cxi r, 

• Cumulative R^r [C-*] : the expected reward cumulated up 
to time-instant t is [x] r. 
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Fig. 2. The number of RFID tags under authentication as a function of time 
for different upper bound of tags 
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Fig. 3. Transmission cost of RFID authentication protocol as a function of 
time for different upper bound of tags TV 

• Reachability i?[xir[F (f>]: the expected reward cumulated 
before reaching is [x] r, 

• Steady-state R^^riS]'. the long-run average expected re- 
ward is CXI r. 

Cumulative and rechability reward properties are employed for 
the proposed quantitative verification of the proposed RFID- 
DTMC model. 

IV. Quantitative Verification Results 

The novelty of the current work is that for the first time 
probabilistic model checking using DTMCs is employed in 
order to verify the properties of the RFID authentication 
protocol. In the proposed quantitative analysis we model 
multiple RFID sessions according to the steps described in 
Section HI] Since, our model considers two groups Ta and 
Tb of up to 50 tags each, it concludes that the server S can 
authenticate concurrently an upper bound of up to = 100 
tags. 

Fig. |2] represents the number of RFID tags which are under 
authentication as a function of time expressed in time steps. It 
is natural that as time passes the server S will authenticate 
an increasing number of incoming tags T^. However, this 
number has a threshold equal to N, i.e., the upper bound 
of tags being authenticated concurrently. We observe that for 
N = 50, 75, 100 the corresponding curve is fixed at N and 
this happens at time step 1100, 1600,2200 respectively. This 
means the smaller the TV the sooner the curves' fixing. 

In line with the above observation, it is expected that 
the transmission cost of the RFID protocol, which depends 
on the number of tags under concurrent authentication, will 
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Fig. 4. Server- and tag-side computation cost as a function of the upper 
bound of tags A'^ 
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Fig. 5. Server processing time and tags' time delay as a function of tlie 
upper bound of tags 



be increased with time but it will not exceed an up limit 
which indicates the time that the server S is constantly fully 
occupied with tags. Thus, Fig. [3] confirms that at time 
step 1100, 1600, 2200 the tags' authentication requests will be 
fixed at their maximum keeping transmission cost unchanged. 
Results depicted in Fig. |2] and |3] derived using cumulative 
reward queries. 

Apart from transmission cost, the proposed analysis incor- 
porates the computation requirements of RFID protocol. More 
specifically, according to |,14J , the server-side and tag-side cost 
is exponential and linear to the number of tags, respectively. 
In Fig. |4] we depict computation cost at server- and tag-side 
as a function of A^, for = 10, . . . , 100, and we confirm the 
expected curves' trend. 

We finally launch a set of experiments in order to compute 
the service rate and mean tags' delay. Fig. |5] shows that both 
the server processing time and tags' time delay are increased 
in line with N, for iV = 10, . . . , 100. Service rate is equal to 
25 tags per time step while mean tags' delay is approximately 
4.5 time steps. Results depicted in Fig. |4] and |5] derived using 
rechability reward queries. 

An additional value of the proposed model, besides the 
above results, is that it is designed to be configurable. Cost 
requirements incorporating in the proposed model are protocol 
dependant providing an analyst the capability of assigning 
rewards according to the hardware specifications of a protocol. 

V. Conclusion 

Quantitative analysis using probabilistic model checking is 
firstly used in this work in order to verify cost requirements of 



the Song and Mitchell's RFID authentication protocol, while 
its security properties are preserved. We have managed to 
create a representative cost weighted DTMC model within the 
PRISM model checking environment, towards the quantitative 
analysis of a parallel session scenario that include up to 100 
RFID tag identifications. 

Apart from results launched by the proposed analysis, cur- 
rent work provides insights for addressing cost-related issues 
of RFID protocols and deciding upon their cost-dependent 
viability in line with their security guarantees. 

Our future plans involve the cost-based analysis of RFID 
solutions |13| which propose some fixes for strengthening the 
security of RFID protocols. In this way we will be able to 
evaluate the computation cost caused by a fix solution. Fur- 
thermore, our goal is to model and compare a series of Radio 
Identification protocols using the proposed analysis. In this 
way we will provide researchers and protocol designers with 
a complete framework for quantitative analyzing any security 
mechanism embedded in existing or new RFID protocols, 
especially when exploiting low-cost hardware. 

References 

[1] S. Basagiannis, P. Katsaros, A. Pombortsis, and N. Alexiou, "A prob- 
abilistic attacker model for quantitative verification of dos security 
threats," in Proc. of the 32nd Annual IEEE International Conference 
on Computer Software and Applications (COMPSAC'08), Finland, July 
2008, pp. 12-19. 

[2] S. Basagiannis, I. Paparrizos, and S. Petridou, "Quantitative analysis 
for authentication of low-cost rfid tags: The dtmc model." [Onhne]. 
Available: http://users.auth. gr/~ basags/rfid.html 

[3] S. Basagiannis, S. Petridou, N. Alexiou, G. Papadimitriou, and P. Kat- 
saros, "Quantitative analysis of a certified e-mail protocol in mobile 
environments: A probabilistic model checking approach," to appear in 
Computers & Security, Elsevier, 2011. 

[4] A. Bianco and L. de Alfaro, "Model checking of probabiHstic and 
nondeterministic systems," in 15th Conf. on Foundations of Computer 
Technology and Theoretical Computer Science, 1995, pp. 499-513. 

[5] H. Hansson and B. Jonsson, "A logic for reasoning about time and 
reliability," Formal Aspects of Computing, vol. 6, no. 5, pp. 512-535, 
1994. 

[6] M. Kwiatkowska, G. Norman, D. Parker, and J. Sproston, Modeling 

and Verification of Real-Time Systems: Formalisms and Software Tools. 

John Wiley & Sons, 2008. 
[7] M. Z. Kwiatkowska, G. Norman, and D. Parker, "Prism 2.0: A tool 

for probabilistic model checking," in In Proc. of QEST'04, Netherlands, 

Sep. 2004, pp. 322-323. 
[8] , "Stochastic model checking," in In Proc of SFM'07, Italy, May 

2007, pp. 220-270. 
[9] C. Liaskos, S. Petridou, and G. Papadimitriou, "Cost-aware wireless data 

broadcasting," IEEE Transactions on Broadcasting, vol. 56, no. 1, pp. 

66-76, 2010. 

[10] G. Lowe, "Breaking and fixing the needham-schroeder public-key proto- 
col using fdr," Software - Concepts and Tools, vol. 17, no. 3, pp. 93-102, 
1996. 

[11] G. Lowe and A. W. Roscoe, "Using csp to detect errors in the tmn 
protocol," IEEE Trans, on Soft. Engineering, vol. 23, no. 10, pp. 659- 
669, 1997. 

[12] S. Petridou, S. Basagiannis, N. Alexiou, G. Papadimitriou, and P. Kat- 
saros, "Quantitative model checking of an rsa-based email protocol on 
mobile devices," in Proc. of the I6th IEEE Symbosium on Computers 
and Communications (ISCC 201I)(to appear), Greece, Jun. 2011. 

[13] P. Rizomiliotis, E. Rekleitis, and S. Gritzalis, "Security analysis of 
the song-mitchell authentication protocol for low-cost rfid tags," IEEE 
Comm. Letters, vol. 13, pp. 274-276, 2009. 

[14] B. Song and C. J. Mitchell, "Rfid authentication protocol for low-cost 
tags," in 1st ACM Conf. on Wireless Network Security, New York, NY, 
USA, 2008, pp. 140-147. 



